Hi,
i found out the ssh port 222 was reachable from internet on red interface of my “Core-Update-Level: 172” ipfire machine.
Thanks to a TRACE i found out such a line :
Feb 12 19:39:42 ipfire kernel: TRACE: filter:IPS_INPUT:rule:1 IN=red0 … DPT=222
also i could see such output :
(iptables -L -n -v --line-numbers -t filter)
Chain IPS_INPUT (1 references)
num pkts bytes target prot opt in out source destination
1 4873 763K NFQUEUE all – red0 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE balance 0:1 bypass cpu-fanout
2 13352 1715K NFQUEUE all – green0 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE balance 0:1 bypass cpu-fanout
3 0 0 NFQUEUE all – blue0 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE balance 0:1 bypass cpu-fanout
after more investigations i found out that commenting and uncommenting the 3 " iptables -N IPS" lines in /etc/rc.d/init.d/firewall ( , some stop/start ) , it repaired this scary situation
iptables -N IPS_INPUT
iptables -N IPS_FORWARD
iptables -N IPS_OUTPUT
now i have nothing :
Chain IPS_INPUT (1 references)
num pkts bytes target prot opt in out source destination
it raises 2 questions :
- is it possible that “forgotten” IPS_INPUT lines in the filter table were persisted across updates and reboots ?
- does anybody knows if there is any IPS or QOS updates during the long history of updates for this machine that could have introduced this scary situation ?
Regards,
Yann.